Note

Note:: NA - Mail Service

交大計算機網路管理課程作業紀錄,HW3 - Mail Service

Update Firewall Rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

## Accept Email related services.

### SMTP
iptables -A FORWARD -p tcp --dport 25 -d 172.16.15.20 -j ACCEPT
iptables -A FORWARD -p tcp --dport 465 -d 172.16.15.20 -j ACCEPT
### POP3
iptables -A FORWARD -p tcp --dport 110 -d 172.16.15.20 -j ACCEPT
iptables -A FORWARD -p tcp --dport 995 -d 172.16.15.20 -j ACCEPT
### IMAP
iptables -A FORWARD -p tcp --dport 143 -d 172.16.15.20 -j ACCEPT
iptables -A FORWARD -p tcp --dport 993 -d 172.16.15.20 -j ACCEPT

DNS

SPF

1
2

;; ANSWER SECTION:
15.nasa.                86400   IN      TXT     "v=spf1 a mx ip4:172.16.15.20 -all"

DMARC

  • Record is not on APEX
  • _dmarc.<domain>
1
2

;; ANSWER SECTION:
_dmarc.15.nasa.         604800  IN      TXT     "v=DMARC1;p=reject;sp=none;pct=100;aspf=r;rua=mailto:TA@15.nasa;ruf=mailto:TA@15.nasa;rf=afrf;ri=86400;fo=1"

DKIM

Using OpenDKIM to generating and signing keys.

  • apt install opendkim opendkim-tools
  • opendkim-genkey -t -s dkim -d <domain>

DKIM Record

1
2

;; ANSWER SECTION:
dkim._domainkey.15.nasa. 499830	IN	TXT	"v=DKIM1; h=sha256; k=rsa; t=y; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkHpLlV6aIFTEilF2dDamwCw3wCf9LGsN82GGYfRl7Ts4wRqUnOFXtejp4Vcm/oNDQtq4+WX3nOQaGSV/m8r66qxWD74ZW4krZFew+L9sBRzGijCXYC3v9T3IgYmUyM1vr5vxuq/TBjohaLgNq9lNnyBvD1M7kq5+b/WTMdJT8TPLSCf9nZS8VY/HQCamLoBfOaXnvSajLQ32G" "hlqTFtoDWEjo3S5mvEQ8lAhrUJdm/JG8bTvGo9Q4gftXHQrvjlFe11ptNwwm9eMW8QhuN0vLRUJWLeZOuGauoMBykUWAxlPeOylqEURXc29J5XXWYBz5hqt0i2d84S/6UXHIOaRQIDAQAB"

Setting Postfix

  • main.cf
1
2
3
4

## OpenDKIM
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

Dovecot

  • Dovecot for SASL and IMAP service

Passwdfile

  • As userdb and passdb
  • Generate Password
    • doveadm pw
  • Trailing : is necessary
1
2
3

test_user:{CRYPT}$2y$05$VS04K3k2lMr44J7MaerG.e69SmB5ErL6.q3ryDMBeZhe0CPLqkzaq:::::
ta:{CRYPT}$2y$05$vD7Wx/NV8MptYBSIxHr/3uOWYeH3SZpIOVQi13qUa31zVKepwzMz2:::::
cool-ta:{CRYPT}$2y$05$Az/ekGaBtiHIkFN0m3dOGOsPQLHqVmWCPb/1UxGQ7EJZK9Auq306S:::::

auth-passwdfile.conf.ext

1
2
3
4
5
6
7
8
9

passdb {
  driver = passwd-file
  args = scheme=CRYPT username_format=%Lu /etc/dovecot/users
}

userdb {
  driver = passwd-file
  args = username_format=%Lu /etc/dovecot/users
}

Virtual Transport

  • LMTP
  • 10-master.conf
1
2
3
4
5
6
7

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0666
    group = postfix
    user = postfix
  }
}

Mail Storage Location

  • 10-mail.conf
1
2

mail_home = /var/mail/%d/%n
mail_location = maildir:~/mail

Postfix

Virtual Mailbox

  • main.cf
1
2

virtual_mailbox_domains = 15.nasa mail.15.nasa
virtual_mailbox_maps = regexp:/etc/postfix/virtual-mailbox-users
  • virtual-mailbox-users
1
2
3

/^TA@.*\.?15.nasa$/ TA
/^cool-TA@.*\.?15.nasa$/ cool-TA
/^ubuntu@.*\.?15.nasa$/ ubuntu

Transport Mail to Dovecot

  • main.cf
1
2

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_alias_maps = regexp:/etc/postfix/virtual-aliases

Virtual Aliases

  • virtual-aliases
1
2

/^NASATA@(.*\.?15\.nasa)$/ TA@15.nasa
/^.*\|(.*)@(.*\.?15\.nasa)$/ $1@15.nasa

TLS

Generate CA Key

  • openssl genrsa -des3 -out ca.key 4096

Signing CA Certificate

  • openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt

Generate Host(Serivce) Key

  • openssl genrsa -out mail.15.nasa.key 4096

Generate CSR

  • openssl req -new -key mail.15.nasa.key -sha256 -out mail.15.nasa.csr

  • Feeding Attribute into command

    • openssl req -new -key mail.15.nasa.key -subj "/C=TW/ST=Taiwan/L=Taipei City/O=MyOrg/OU=MyUnit/CN=mail.15.nasa" -sha256 -out mail.15.nasa.csr

Use CSR to sign Host Certificate

  • openssl x509 -req -in mail.15.nasa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mail.15.nasa.crt -days 30 -sha256

SASL

1
2
3
4
5
6

# SASL with dovecot
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

Restrictions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

smtpd_sender_restrictions =
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_sender_login_mismatch,
        check_sender_access hash:/etc/postfix/reject-null-sender,
        permit

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        check_policy_service inet:127.0.0.1:10023,
        permit
  • Blocking null sender using check_sender_access
    • <> REJECT null sender not allowed
  • Graylisting using PostGray
    • check_policy_service inet:127.0.0.1:10023
    • PostGray daemon listening on 10023
  • Login mismatch
    • smtpd_sender_login_maps = $virtual_mailbox_maps

Out-Going Filter

  • main.cf
1

header_checks = regexp:/etc/postfix/header-filter
  • header_filter
1
2
3
4
5
6

/^Subject:.*NCTU.*/ REJECT Subject contains NCTU
/^Subject:.*陽交.*/ REJECT Subject contains 陽交
/^Subject:.*=e9=99=bd=e4=ba=a4.*/ REJECT Subject contains 陽交
/^Subject:.*6Zm95Lqk.*/ REJECT Subject contains 陽交
/^Subject:.*6pa9uw==.*/ REJECT Subject contains 陽交
/^Subject:.*tqel5g==.*/ REJECT Subject contains 陽交

In-Going Filter

SpamAssassin

  • Rewrite header
  • Disable report, not to add report attachment.
  • local.cf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

#   Add *****SPAM***** to the Subject header of spam e-mails
#
rewrite_header Subject *** SPAM ***


#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#
report_safe 0


#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.


#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock


#   Set the threshold at which a message is considered spam (default: 5.0)
#
required_score 5.0


#   Use Bayesian classifier (default: 1)
#
use_bayes 1


#   Bayesian classifier auto-learning (default: 1)
#
bayes_auto_learn 1

Amavisd-new

  • Not to drop spam, virus mail.
  • Add *** SPAM *** tag to virus mail.
  • 21-ubuntu-default
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
$enable_dkim_verification = 1;
# Don't be verbose about sending mail:
@whitelist_sender_acl = qw( .$mydomain );
$final_virus_destiny      = D_PASS; # (defaults to D_BOUNCE)
$final_banned_destiny     = D_PASS;  # (defaults to D_BOUNCE)
$final_spam_destiny       = D_PASS;  # (defaults to D_REJECT)
$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested

$subject_tag_maps_by_ccat{+CC_VIRUS} = [ '*** SPAM *** ' ];

$virus_admin = undef;
$spam_admin = undef;

Installation

  • apt install spamassassin spamc
  • adduser spamd --disabled-login

Configuration

  • /etc/default/spamassassin
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

OPTIONS="--create-prefs --max-children 5 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"

# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"

# Set nice level of spamd
#NICE="--nicelevel 15"

# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=1
  • /etc/spamassassin/local.cf
1
2
3
4
5
6
7
8

#   Add *****SPAM***** to the Subject header of spam e-mails
rewrite_header Subject *** SPAM ***

#   Set the threshold at which a message is considered spam (default: 5.0)
required_score 5.0

#   Use Bayesian classifier (default: 1)
use_bayes 1
  • /etc/postfix/master.cf
1
2
3
4
5

smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamassassin
spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Testing

IMAP

  • openssl s_client -crlf -connect mail.15.nasa:993
  • tag login ta@15.nasa 2V73wQpvTgwBGZPQscSsSnPU7nDYA9QP
  • tag LIST "" "*"
  • tag SELECT INBOX
  • tag STATUS INBOX (MESSAGES)
  • tag FETCH 16 (BODY[HEADER])
  • tag FETCH 5 (BODY)

Trouble-Shooting

Postfix

Differences between smtpd_relay_restrictions and smtpd_sender_restrictions

  • reject_sender_login_mismatch shouldn’t apply on the relay restriction.
    • We don’t have capability to restrict external user

Dovecot

Cannot drop user privilege of virtual user

  • Failed to initialize user: Couldn't drop privileges: User is missing UID (see mail_uid setting)
    • Setting both Uid and Gid
  • Failed to initialize user: Mail access for users with UID 8 not permitted (see first _valid_uid in config file, uid from mail_uid setting).
    • Configure first_valid_uid (default=500) to meet the target uid uid(mail) == 8.

Can’t expand for mail root dir

1
2

Failed to initialize user: Namespace '': Home directory not set for user. Can't expa
nd ~/ for mail root dir in: ~/mail:INBOX=/var/mail/ta
  • Replace mail_location = mbox:~/mail:INBOX=/var/mail/%u
    • mail_home = /var/mail/%d/%n
    • mail_location = maildir:~/mail

Amavids-new

Won’t tagged Subject

  • 05-domain_id fault.
  • Setting @local_domains_acl to the correct one.

References

© 2020 - 2023 TwinkleStar03's Note
Built with Hugo
Theme Stack designed by Jimmy